Key slots

It uses the keyring device SceSblDMAC5DmacKRBase for the cryptographic key material. The keyring is at physical address 0xE04E0000. The keyring configuration is set during secure boot. Keyring offset +0x400 is used to configure non-secure kernel accessibility. On boot, it defaults to 0x200000FF, which indicates key slots 0-7 and slot 0x1D can by directly used by non-secure kernel. The +0x400 register is only available in secure mode.

There are 0x20 key slots, from 0x0 to 0x1F.

Key slots 0x0-0x7 and 0x1D can be modified directly using dmac5keyring.

Key slot 0x1C seems to be related to memory card.

Functions

The first byte of the function code indicates which function to use and the second byte the key size.

2nd byte

Key size

0

64 and less

1

128

2

192

3

256 and 512

The following functions are available:

0x301: AES-256-ECB encrypt

0x302: AES-256-ECB decrypt

0x201: AES-192-ECB encrypt

0x202: AES-192-ECB decrypt

0x101: AES-128-ECB encrypt

0x102: AES-128-ECB decrypt

0x309: AES-256-CBC encrypt

0x30a: AES-256-CBC decrypt

0x209: AES-192-CBC encrypt

0x20a: AES-192-CBC decrypt

0x109: AES-128-CBC encrypt

0x10a: AES-128-CBC decrypt

0x4: Random Number Generator

0x3: SHA1

0x13: SHA256

0x23: HMAC-SHA1

0x33: HMAC-SHA256

0x3B: CMAC-AES

0x21: AES-128-CTR encrypt

0x22: AES-128-CTR decrypt (identical to encrypt)

0x41: DES-64-ECB encrypt

0x42: DES-64-ECB decrypt

0x49: DES-64-CBC encrypt

0x4A: DES-64-CBC decrypt

probably there are more

There is usage of higher bits in the commands that don't seem to have much affect. For the encryption examples, 0xC002000 is also set on the command upper bits